New Computer Attacks Traced to Iran, Officials Say

SAN FRANCISCO — American officials and corporate security experts examining a new wave of potentially destructive computer attacks striking American corporations, especially energy firms, say they have tracked the attacks back to Iran.

The targets have included several American oil, gas and electricity companies, which government officials have refused to identify. The goal is not espionage, they say, but sabotage. Government officials describe the attacks as probes looking for ways to seize control of critical processing systems.

Investigators began looking at the attacks several months ago, and when the Department of Homeland Security issued a vaguely worded warning this month, a government official told The New York Times that “most everything we have seen is coming from the Middle East.”

Government officials and outside experts on Friday confirmed a report in The Wall Street Journal that the source of the attacks had been narrowed to Iran. They said the evidence was not specific enough to conclude with confidence that the attacks were state-sponsored, but control over the Internet is so centralized in Iran that they said it was hard to imagine the attacks being done without government knowledge.

While the attackers have been unsuccessful to date, they have made enough progress to prompt the Homeland Security warning, which compared the latest threat to the computer virus that hit Saudi Aramco, the world’s largest oil producer, last year. After investigations, American officials concluded that the Aramco attack, and a subsequent one at RasGas, the Qatari energy company, were the work of Iran.

Taken together, officials say, the attacks suggest that Iran’s hacking skills have improved over the past 18 months. The Obama administration has been focused on Iran because the attacks have given the Iranian government a way to retaliate for tightened economic sanctions against it, and for the American and Israeli program that aimed similar attacks, using a virus known as Stuxnet, on the Natanz nuclear enrichment plant.

That effort, code-named Olympic Games, slowed Iran’s progress for months, but also prompted it to create what Iran’s Islamic Revolutionary Guards Corps calls a cyber corps to defend the country.

This week Iran denied being the source of any attacks, and said it had been a victim of American sabotage. In a letter to the editor of The Times, responding to a May 12 article that reported on the new attacks’ similarity to the Saudi Aramco episode, Alireza Miryousefi, the head of the press office of the Iranian mission to the United Nations, wrote that Iran “never engaged in such attacks against its Persian Gulf neighbors, with which Iran has maintained good neighborly relations.”

“Unfortunately, wrongful acts such as authorizing the 2010 Stuxnet attack against Iran have set a bad, and dangerous, precedent in breach of certain principles of international law,” he wrote.

American officials have not offered any technical evidence to back up their assertions of Iranian authorship of the latest attacks, but they describe the recent campaign as different from most attacks against American companies — particularly those from China — which quietly siphon off intellectual property for competitive purposes.

The new attacks, officials say, were devised to destroy data and manipulate the machinery that operates critical control systems, like oil pipelines. One official described them as “probes that suggest someone is looking at how to take control of these systems.”

The White House would not confirm that Iran was the source, but Laura Lucas, a spokeswoman for the National Security Council, said that “mitigating threats in cyberspace, whether theft of intellectual property or intrusions against our critical infrastructure” was a governmentwide initiative and that the United States would consider “all of the measures at its disposal — from diplomatic to law enforcement to economic — when determining how to protect our nation, allies, partners, and interests in cyberspace.”

In the past, government officials have privately warned companies under threat. But Homeland Security was able to issue a broader warning because of an executive order, signed in February, promoting greater information sharing about such threats between the government and private companies that oversee the nation’s critical infrastructure.

An agency called ICS-Cert, which monitors attacks on computer systems that run industrial processes, issued the warning. It said the government was “highly concerned about hostility against critical infrastructure organizations,” and included a link to a previous warning about Shamoon, the virus used in the Saudi Aramco attack last year.

That attack prompted Leon E. Panetta, then defense secretary, to warn of a “cyber-Pearl Harbor” if the United States did not take the threat seriously.

Saudi Aramco and RasGas both said that the attackers had failed in their efforts to infiltrate their oil production systems.

Government officials also say Iran was the source of a separate continuing campaign of attacks on American financial institutions that began last September and has since taken dozens of American banks intermittently offline, costing millions of dollars. But that attack was a less sophisticated “denial of service” effort.

Jeff Moss, chief security officer at the Internet Corporation for Assigned Names and Numbers, the private body that oversees the basic design of the Internet, said: “For the last year, Iran has been focused on disrupting financial institutions’ Web sites. If they are going after energy, and opening a multiprong front, at what point does it cross from annoyance to a threshold?”

A version of this article appears in print on May 25, 2013, on page A10 of the New York edition with the headline: New Computer Attacks Traced to Iran, Officials Say. Order Reprints|Today's Paper|Subscribe